Trying to setup user pool authentication for API Gateway

Question

I'm trying to setup security on an API using Cognito user pools. I'm getting back 401 Unauthorized.

The API and User Pools are existing, and I've been using the user pool to log into an application. I'm now trying to secure the API calls.

I created an authorizer on the API,

Then I added the authorizer to one GET method in the API

Then finally I tried to test the API in Postman. I'm using the AWS Signature authorization.

Calling the method returns 401. The method functioned before with no security, and turning off the authorizer makes it work again (without security).

Any ideas what step I'm missing?

Answer 1

For authorization using Postman when using Cognito user pools, chose No Auth. Then add a header Authorization (the value in token source field of your authorizer) and copy the id_token into that header value. I did not have to add anything else besides that to make it work (i.e. no bearer).

Answer 2

The AWS Signature authorization is different than a Custom Authorizer.

The AWS Signature authorization (Postman) requests an AWS AccessKey and SecretKey to authenticate requests. This corresponds to IAM Authentication in API Gateway. The AccessKey and SecretKey are received through IAM.

A Custom Authorizer takes a JWT called #id_token that is issued by your specified Cognito User Pool. To test the validity of the token, go to your custom authorizer and click test, and then copy and paste the token into the text area.

The way to perform the Custom Authorizer authentication is this:

1. obtain an #id_token from the your user pool by following AWS Configuration
2. Configure API gateway with a Cognito custom Authorizer with your user pool as the source (Seems that you have done correctly)
3. Use OAuth 2.0 as Authorization in postman, with your #id_token as the Access Token, Or add the header: Authorization with the value Bearer and the #id_token

Drop a comment if you want me to add the AWS Signature Auth Flow.